“Controlled Unclassified Info” Policy Is On the Way

05.13.09 | 2 min read | Text by Steven Aftergood

A new government-wide policy on “controlled unclassified information” (CUI) is still more than a year away from implementation, but not because of any lack of attention or interest.  To the contrary, it is the subject of rather intensive policy deliberation, officials say, and is not “languishing” as Secrecy News stated on May 11.

CUI refers generally to information that is restricted in some way other than by national security classification.  Because such restrictions have taken many different forms and names — such as sensitive but unclassified, official use only, limited official use, and more than a hundred others — they have also become a disruptive barrier to communication and a source of confusion inside and outside of government.

While the nature of the problem is clear enough (i.e. a reckless proliferation of often arbitrary non-disclosure policies), and the solution is also straightforward in principle (i.e. increased restraint, uniformity and consistency), getting from here to there turns out to be an exceptionally complicated policy problem.  It involves the activities of dozens of federal agencies, as well as state, local, and tribal entities, industry and others.  It encompasses statutory and non-statutory control regimes.  A consensus policy must first be achieved, then translated into implementing regulations, and inculcated through training and education programs.

To gain traction on the problem, officials have broken it down into several sub-categories, including safeguarding policy, document designation, dissemination, and lifecycle (or “decontrol” of the information). Significant headway has been made in several of these areas, one official said.

The Obama Administration is expected to weigh in on the topic in the near future, adding new direction and impetus to the process.  But in any case, a new CUI policy is not expected to be in place before some time in Fiscal Year 2011.

“To undo decades of bad practices is going to take a while,” said William J. Bosanko, the director of the Information Security Oversight Office who is also leading the interagency CUI reform effort.